Low reputation massive IP attacks

In the last week we have received massive attacks from several different IP. Using tools like https://cleantalk.org we find that some of these IP have a low reputation (ips tested,, Why can’t Cloud Flare stop requests from those low reputation IP? How can I configure Cloud Flare to automatically block these low reputation IP, without having to map them manually?


What do you have your " Security Level" of your site set to?

You can check this in by clicking Firewall then clicking Settings (on the right side of the page).

Hi @thiago.machado,

As @israel1 mentioned, you can set a higher Security Level using the Firewall app settings. The following threat level will apply for each level:

High > 0
Medium > 14
Low > 24
Essentially Off > 49

If you want a more granular control, you can create a firewall rule specifying any number as the desired threshold.


Hi @cbrandt and @israel1,

I already set these two options as you said. I set Security Level to High and Threat Score first to 10 then to 5 and last to 1 and neither of these values ​​could stop the attacks. Even being ip with low reputation.
What more could be done?

@thiago.machado Can you also confirm that these IP’s are coming in via proxied traffic?
Are they getting a challenge?
Are they showing in your CF firewall event logs?


I can not confirm if these IP’s are coming in via proxied traffic.

“Are they getting a challenge?” yes, but all traffic are been challenged
“Are they showing in your CF firewall event logs?” yes

@thiago.machado an you send us screenshot of overview page? Wondering how much was being thrown at you in order to take you down.

@israel1 We are not take you down. The massive IP attacks are causing a lot of consumption of our servers. Making us spend above normal.

Is the malicious traffic from any specific geographic locations?
Any common agents that are being used?

Just trying to see if there are any custom rules that you can add that will reject the traffic before it hits your servers.

Hi @israel1,

The attacks come from different regions and different ip, with different user agents. So not having a pattern. We have already tried to analyze ips for a pattern but to no avail.

This topic was automatically closed after 30 days. New replies are no longer allowed.